In March 2025, the European Commission and the High Representative presented Readiness 2030 — the White Paper for European Defence, designed to enable over €800 billion in combined European defence investment through fiscal flexibility, SAFE capital market loans, and EIB mechanisms. Most analysts read it as a military story. That reading misses the point. At its core, Readiness 2030 is a forced reckoning with three decades of accumulated dependency: technological, legal, and institutional. The organisations that understand this distinction will compete for and win the mandates that define the next decade. Those that read it as a procurement story will be left behind.

The Strategic Shift

Europe did not rearm. Europe woke up.

The narrative of European rearmament frames what is happening primarily as a response to Russian aggression. That framing is accurate but incomplete. What the invasion of Ukraine, renewed competition around Greenland and the Arctic, and uncertainty surrounding long-term US strategic commitments have collectively produced is not merely a military awakening — it is a strategic identity crisis. Europe discovered, under pressure, that it had externalised not just its security, but the technological infrastructure on which security depends.

EU member states spent approximately €343 billion on defence in 2024 — a 19% rise from 2023, with projections reaching €381 billion in 2025 (Carnegie Endowment for International Peace, 2025). NATO reported that a record number of member states were meeting or exceeding the 2% GDP spending target — a significant milestone after years of persistent shortfalls. The Hague Summit in June 2025 established a new investment blueprint: 5% of GDP by 2035, structured as 3.5% for core military requirements and 1.5% for hybrid resilience, critical infrastructure, and cyber capabilities. It is a political commitment that fundamentally rewrites allied spending expectations. Germany approved a defence framework of €108.2 billion for 2026 — combining its core budget of €83 billion with the off-budget Sondervermögen Bundeswehr of €25.5 billion — for the first time positioning Berlin as Europe's highest absolute defence spender by this measure.

These numbers are significant. But they are the wrong lens. The real story is in what European governments discovered when they tried to spend that money. According to late-2025 venture tracking data, approximately 65% of European Defence-Tech late-stage capital involves non-EU investment structures (Russell Investments, September 2025). Strategists increasingly debate whether dependence on foreign-owned cloud infrastructure could create operational vulnerabilities during a conflict. The F-35 programme illustrates the wider concern: sustained allied operation depends on US-controlled software updates, mission data systems and sustainment infrastructure — a dependency that is technical, contractual and strategic simultaneously. The CLOUD Act extends US legal access obligations to cloud providers subject to US jurisdiction, irrespective of where data is physically stored — a structural exposure for European governments and enterprises operating on US-headquartered platforms.

The Real Instituto Elcano has framed Spain's position with particular precision. According to Elcano Barometer data, Spain faces an asymmetric strategic threat perception: Morocco is identified as the primary concern by 55% of Spanish citizens, Russia by 33% — yet Spain must simultaneously manage NATO commitments, EU institutional positioning, and industrial integration into a rearmament cycle it has only recently joined with conviction. Spain's defence spending stood at 1.28% of GDP in 2024 — the lowest percentage among NATO member states — while the government simultaneously committed to reaching 2% by the 2025–2026 fiscal cycle and announced an additional €10.5 billion for its industrial and technological defence base. Spain's position within emerging European defence coordination formats is shaped in part by this historically lower spending relative to major allies, alongside a complex domestic political calculus.

800B
EU Readiness 2030
combined investment enabled
European Commission White Paper, March 2025
44%
European DSR investment
directed at AI-based systems
Dealroom / NATO Innovation Fund, February 2026
65%
EU Defence-Tech capital
involving non-EU investment
Russell Investments, September 2025
The Technology Dimension

Sovereign AI is not a
luxury — it is a requirement.

The most consequential debate in European defence today is not about tanks or fighter jets. It is about who controls the data, the algorithms, and the cloud infrastructure on which next-generation defence capability depends. And Europe's current answer — largely, the United States — is increasingly untenable as a long-term strategic position.

Commission policy priorities in September 2025 placed strategic AI autonomy at the centre of the European agenda. The EuroStack initiative — a coordinated industrial effort to build indigenous, low-latency military cloud nodes and sovereign large language models — began assembling European defence and technology companies around this objective. In November 2025, German Chancellor Merz and French President Macron convened bilateral discussions that foregrounded European digital sovereignty as a strategic priority. On the operational side, the Austrian armed forces proceeded with migrating core enterprise IT networks onto European sovereign cloud stacks, while the Dutch Ministry of Defence moved to establish a domestically controlled cloud ecosystem — concrete national steps in a broader continental decoupling from foreign-controlled digital infrastructure.

McKinsey's sovereign AI research (March 2026) identifies the core strategic problem: most sovereign AI initiatives are failing not because of technical limitations, but because organisations systematically underestimate the organisational transformation required. Sovereign cloud and AI migrations typically take three to four years. They are not vendor switches — they are institutional redesigns. The report notes that enterprises are the demand engines that make sovereignty economically viable, but that very few have moved beyond road maps to actual strategy, budgets, and workload tiering.

The regulatory dimension compounds the strategic one. While the EU AI Act carves out purely military systems, civilian and dual-use applications developed or operated by defence organisations may still fall within scope, depending on deployment context — a boundary that defence primes and their civilian supply chains are actively navigating. NIS2 and DORA create compliance obligations for entities within their scope, including the civilian and commercial arms of defence-adjacent organisations depending on their classification and activity. NATO's Principles for Responsible Use of AI increasingly influence operational governance discussions in domains beyond the direct scope of the AI Act. The result is a compliance architecture that no single discipline — legal, technical, or strategic — can navigate in isolation.

The organisations that will shape Europe's security architecture are not the ones with the largest procurement budgets. They are the ones that understand simultaneously where the law ends, where the technology begins, and where the institutional relationships that enable both must be built.

— Alejandro Casasempere · Managing Partner, Ahorro Sostenible
Where the Literature Disagrees

The contested terrain

Across the literature — from Real Instituto Elcano to Carnegie Endowment, from Chatham House to the European Parliament — three substantive contradictions recur consistently. Understanding them is not academic. They define the strategic choices that organisations operating in this space must make now.

Contradiction Position A Position B Why They Disagree
Speed vs. Sovereignty Frontline states (Poland, Baltics) must prioritise immediate procurement from any capable supplier — sovereignty concerns are a long-term consideration that cannot delay operational readiness (Carnegie Endowment, 2025) Acquiring non-European systems now creates structural dependencies that will take decades to undo, locking Europe into a second cycle of external reliance (Chatham House, 2026) Geopolitical geography: proximity to Russia changes the discount rate on sovereignty. Poland at 4.7% GDP spending rationally prioritises speed; France or Spain at 2% can afford to prioritise long-term integration.
NATO vs. EU Defence Identity European strategic autonomy is compatible with and complementary to NATO — greater EU defence capacity strengthens the alliance (EU White Paper, Readiness 2030, March 2025) PESCO and EDF have produced political signalling more than operational capability; genuine European autonomy would require independent command structures that challenge NATO's core architecture (NATO strategic analysis, December 2025) Institutional framing: EU documents assess compatibility from Brussels; security analysts assess it from operational military reality. Both are correct within their respective frame of reference.
Sovereign AI: Ambition vs. Execution European sovereign AI is advancing rapidly — EuroStack, national cloud projects in Austria and the Netherlands, €225M EDF AI funding — and is on track to deliver strategic independence (EU Parliament, 2025) Most sovereign AI initiatives are stalling at the road-map stage; a majority of late-stage capital involves non-European investment structures; migration timelines run 3–4 years; few organisations have moved beyond strategy to budget commitment (McKinsey, March 2026) Measurement: institutional sources count initiatives launched; McKinsey measures adoption achieved. Both data sets are accurate. The gap between them is the story.
Structured Knowledge Map

What the field collectively knows

European Defence & Sovereign Technology — Perspectives, May 2026
Central Claim
European strategic autonomy is no longer optional — it is a structural response to US strategic uncertainty, Russian military pressure, and technological dependency risk converging simultaneously in a way not seen since the Cold War.
Supporting Pillars
Defence spending has decisively shifted — a record number of NATO members now meet or exceed 2% of GDP; Germany leads European absolute spending for the first time; the Hague Summit's 5% political blueprint fundamentally reshapes allied expectations through 2035.
Technology dependency is the strategic vulnerability — cloud infrastructure, AI systems, semiconductors, and satellite communications are identified as systemically exposed across Elcano, Chatham House, and McKinsey simultaneously. This is the analytical consensus.
The regulatory architecture is fragmented but converging — EU AI Act, NIS2, DORA, NATO Responsible Use Principles, and CMMC 2.0 create overlapping compliance obligations that are growing stricter and more interconnected each year.
Dual-use innovation is the economic engine — AI-based systems directed approximately 44% of European Defence and Security Research investment in 2025; M&A activity in aerospace and defence reached significant scale; the civil-military technology boundary has effectively dissolved in practice.
Contested Zones
Speed vs. sovereignty in procurement — frontline states buying non-European now vs. integration advocates accepting short-term capability gaps for long-term independence. Both positions are rational given different threat environments.
Whether EU defence institutions deliver capability or political signal — PESCO's 60+ projects vs. the persistent challenge of translating collaborative initiatives into fully integrated operational capabilities.
Frontier Questions
Who governs autonomous weapons with legal accountability? Existing international humanitarian law applies, but no dedicated international framework yet comprehensively governs large-scale autonomous lethal decision-making at operational speed and scale.
Can Europe achieve genuine sovereign AI infrastructure within the operational time horizon? A 3–4 year migration timeline for sovereign cloud adoption sits in direct tension with the urgency of the strategic environment.
Field Synthesis

What is proven. What is contested.
What nobody has answered yet.

What the field collectively believes: European strategic autonomy is a structural necessity, not a political preference. The combination of US strategic uncertainty, Russian revisionism, and technological dependency has made external reliance on a single security patron existentially risky. Spending is rising, commitment is genuine, and the political will is more durable than at any point since the end of the Cold War.

What remains contested: Whether the institutional architecture — PESCO, EDF, SAFE — can translate political ambition into operational capability at the pace the threat environment demands. Whether the sovereignty imperative in AI and cloud can be achieved before the window closes, given significant capital dependency on non-European investment structures and the organisational complexity of sovereign migrations at scale.

What has been proven beyond reasonable doubt: That the boundary between civilian and military technology has dissolved. That AI governance and defence strategy are increasingly the same problem seen from different angles. That organisations operating across this boundary without integrated legal, technological, strategic, and institutional expertise are navigating blind.

The single most important unanswered question: If a European military crisis requires activating AI systems, cloud infrastructure, and command-and-control platforms built and operated by US companies — and those companies face US legal obligations that conflict with European operational requirements — what actually happens? No institution, no legal framework, and no government has yet developed a credible operational answer to that question.

The Five-Minute Version

What this means for your organisation

Three things every senior leader operating in this space needs to understand
1
The proven fact: Europe's defence transformation is simultaneously one of the most consequential regulatory shifts, technology procurement cycles, and institutional restructurings in post-Cold War European history. A growing number of organisations across aerospace, defence, finance, public sector, and advanced technology are being affected — whether or not they think of themselves as being in the defence sector. The civil-military boundary has dissolved in practice.
2
The honest admission: No broad international consensus has yet emerged on governing sovereign AI in defence environments, no accountability framework exists for autonomous weapons at operational scale, and the institutional architecture for genuinely independent European capability is still being constructed. The organisations that engage now — while rules are still being written — will shape the outcome. Those that wait for regulatory clarity will find the rules written around them.
3
The real-world implication: A crisis that is simultaneously a procurement decision, a data sovereignty question, an EU regulatory compliance obligation, and an institutional relations challenge cannot be solved by a law firm, a financial adviser, a technology consultant, or a public affairs firm working independently. It requires all five dimensions — strategy, finance, law, data & AI, and institutional affairs — working as one.